Re: re-route mails on demand during block of ip address

On 31 May 2019, at 11:12, Stefan Bauer wrote: > thank you for your reply. You know, in real world, ips/ranges get blocked > from time to time Not be legitimate RBLs they don't unless you are actually sending spam. If more IPs than just you mail server are getting blocked, then you probably

Re: Mail Delivery Status report

> On 31 May 2019, at 00:33, Bastian Blank > wrote: > > On Fri, May 31, 2019 at 12:03:37AM -0600, @lbutlr wrote: >> I am getting mail delivery status reports for every bcc email (that is, >> every email, since I use a bcc map to create a backup of all the mail). >

Mail Delivery Status report

I am getting mail delivery status reports for every bcc email (that is, every email, since I use a bcc map to create a backup of all the mail). I've looked through all the postfix files for any instance of sendmail -v, and have only found it as a comment in bounce.cf.default

Re: opendmarc.dat Permission denied issues

> On 30 May 2019, at 07:37, Matus UHLAR - fantomas wrote: > > On 30.05.19 07:27, @lbutlr wrote: >> On 30 May 2019, at 07:24, @lbutlr wrote: >>> But can still be deleted at any time, just "less frequently than /tmp"; >>> certainly not a

Re: opendmarc.dat Permission denied issues

On 30 May 2019, at 07:24, @lbutlr wrote: > But can still be deleted at any time, just "less frequently than /tmp"; > certainly not a place to store necessary files. I don't see this anywhere for > *BSD, thankfully, so I can safely ignore it. Goops, forgot to past this:

Re: opendmarc.dat Permission denied issues

On 30 May 2019, at 06:32, Matus UHLAR - fantomas wrote: >> On 29 May 2019, at 08:52, Benny Pedersen wrote: >>> /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot > > On 30.05.19 04:44, @lbutlr wrote: >> I've never heard that. Is that a real t

Re: Postscreen - fatal: btree:/var/db/postfix/postscreen_cache

On 30 May 2019, at 02:39, Jos Chrispijn wrote: > A friend advised me to run /postfix/update and it looks as if this did the > trick. Part of that file contains: > > newaliases > postalias hash:/etc/aliases > postfix reload > postfix flush Wher e did that come from? (It doesn't exist on my

Re: opendmarc.dat Permission denied issues

On 29 May 2019, at 08:52, Benny Pedersen wrote: > /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot I've never heard that. Is that a real thing or just your own 'rule'? -- Lobotomy means never having to say you're sorry -- or anything else.

Re: Blacklist honeypot senders

On 24 May 2019, at 12:52, Rafael Azevedo wrote: > > Hi there, > > I've done that by building a policy filter that bans those IPs using > iptables whenever those trap accounts get reached. Oh, well, that sounds lovely. Is it sharable? (shouldn't be much iss ti adapt it to pf) > It wasn't that

Re: Blacklist honeypot senders

On 24 May 2019, at 11:23, Noel Jones wrote: > On 5/24/2019 11:33 AM, @lbutlr wrote: >> I have an active email address that only receives spam (it is an address >> that wasn't used for years but I've recently reactive to see just how much >> spam an unprotected decades ol

Blacklist honeypot senders

I have an active email address that only receives spam (it is an address that wasn't used for years but I've recently reactive to see just how much spam an unprotected decades old account that hasn't accepted mail since 2006 would get). Anyway, what I would like to do is somehow blacklist any

Re: Tell LMTP who is original recipient?

On 21 May 2019, at 15:36, MRob wrote: > Privacy problem is addressed with smtpd_recipient_limit=1 but thats not very > feasible. Are you sure? I think even the big mailing-list services send individual messages now-a-days. -- Good old Dame Fortune. You can _depend_ on her.

Re: Modify logs for delivery?

On 21 May 2019, at 15:07, @lbutlr wrote: > May 21 14:52:32 mail postfix/local[63216]: 457nyS31Y4zdrvK: > to=, orig_to=, relay=local, > delay=0.39, delays=0.34/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to > command: /usr/local/bin/procmail -t -a $EXTENSION) > > Ma

Modify logs for delivery?

I may have asked this in the past, but ion so it's been longe enough I don't remember and can't find it my mail archives. Is there some way to modify what is logged from postfix/local and postfix/pipe so that the "status=sent" lines include the from address as well as the to address? May 21

Re: Block spam at smtp time, but then still forward to users spam box

On 20 May 2019, at 01:42, Brent Clark wrote: > My colleague has proposed that at smtp time, if a mail is deemed as spam, the > server issues a reject code, but then to too accept the mail and forward the > mail the user for incase its a false positive. The odds of a mail scoring over 10.0 on

Re: Ris: AWS timeout

On 14 May 2019, at 21:35, Ron Wheeler wrote: > If people knew how much of the email travels over the internet as a result of > his work, he would be a tech star. I really doubt he is interested in notoriety. -- 'You're your own worst enemy, Rincewind,' said the sword. Rincewind looked up at

Re: GEO IP based restrictions?

On 14 May 2019, at 13:15, @lbutlr wrote: > On 14 May 2019, at 11:41, @lbutlr wrote: >> Has anyone implemented geo based restrictions for postfix login connections, >> or is this something that needs to be done in dovecot? > > This seemed to work pretty well > > pf

Re: GEO IP based restrictions?

On 14 May 2019, at 11:41, @lbutlr wrote: > Has anyone implemented geo based restrictions for postfix login connections, > or is this something that needs to be done in dovecot? This seemed to work pretty well pfctl -t badguys -T add $(cat block.zone) I can then flush and add when th

Re: GEO IP based restrictions?

> On 14 May 2019, at 11:48, John Peach wrote: > > On 5/14/19 1:41 PM, @lbutlr wrote: >> Has anyone implemented geo based restrictions for postfix login connections, >> or is this something that needs to be done in dovecot? >> I was thinking someway to add most

GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot? I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful? -- "One of the great tragedies of life is the murder of a

Re: include full original message in bounce

On 9 May 2019, at 09:53, Viktor Dukhovni wrote: > But in fact, my view is that bounces should always be headers-only, > and if you're sending important content whose only copy is in the > outbound message, which is "lost" if not delivered, then that's the > problem, fix the sending software to

Re: Blacklistd interaction

On 6 May 2019, at 11:22, lists wrote: > It had been my experience that the firewall uses more resources that > SSHGuard. Certainly it uses more memory. But you do not have to use a firewall if that's an issue. /etc/hosts.allow is always an option, and that block is practically free. -- I

Re: Blacklistd interaction

On 6 May 2019, at 06:33, Lefteris Tsintjelis wrote: > On 6/5/2019 15:14, @lbutlr wrote: >> On 6 May 2019, at 02:10, Lefteris Tsintjelis wrote: >>> Fail2ban and equivalent log parsers are just too resource hungry, >> No they aren't. > > Yes they are. Not on my sup

Re: Blacklistd interaction

On 6 May 2019, at 02:10, Lefteris Tsintjelis wrote: > On 6/5/2019 9:42, @lbutlr wrote: >> On 4 May 2019, at 15:52, Lefteris Tsintjelis wrote: >>> Would be great to consider its future adoption and if possible to take it >>> even further to interact with postscreen.

Re: Blacklistd interaction

On 4 May 2019, at 15:52, Lefteris Tsintjelis wrote: > Would be great to consider its future adoption and if possible to take it > even further to interact with postscreen. Why would this be a good thing for postfix to do? There are already plenty of tools that generate block lists for the

Re: How "safe" is reject_unknown_helo_hostname?

On 28 Apr 2019, at 03:00, Allen Coates wrote: > On 27/04/2019 23:21, @lbutlr wrote: >> >> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, >>reject_non_fqdn_helo_hostname, check_helo_access >>pcre:/etc/postfix/helo_checks.pcre permit

Re: Sporadic, repeated connections from aws

On Apr 27, 2019, at 20:15, Noel Jones wrote: > > I still use the fqrdns.pcre too, and I can't remember the last false negative > when it rejected good mail. Thanks. That’s what I suspected, but confirmation is good to have. -- This is my signature. There are many like it, but this one is

Re: How "safe" is reject_unknown_helo_hostname?

On Apr 27, 2019, at 21:13, Bill Cole wrote: > > I keep permit_my_networks out of my postfix config entirely Thanks. I keep meaning to look into doing that, but then I don’t seem to get around to it. My mail server isn’t on a LAN IP, so that doesn’t apply. I’ll keep looking at logs to see if

Re: How "safe" is reject_unknown_helo_hostname?

On 27 Apr 2019, at 14:28, Bill Cole wrote: > On 27 Apr 2019, at 15:28, TG Servers wrote: > >> But you mean to keep reject_non_fqdn_helo_hostname and >> reject_invalid_helo_hostname, right? > > Yes but as part of smtpd_helo_restrictions with a substantial > check_helo_access map ahead of them

Re: How "safe" is reject_unknown_helo_hostname?

> On 27 Apr 2019, at 13:40, Bill Cole > wrote: > > On 27 Apr 2019, at 15:23, @lbutlr wrote: > >> Do you still see connections from hotmail.com mail servers? > > That depends on what you mean by "hotmail.com mail servers." > I see a lot of traffic f

Sporadic, repeated connections from aws

I've had the following in my fqrdns.pcre checks for quite awhile: /^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT Generic - Please relay via ISP (amazonaws.com) And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out

Re: unable to find user

> On 27 Apr 2019, at 09:06, Matus UHLAR - fantomas wrote: > > On 27.04.19 09:04, @lbutlr wrote: >> I am using postfix => spamass-milter => SpamAssassin and I get occasional >> errors like these. >> >> spamd: handle_user (userdir) unable to find user:

unable to find user

I am using postfix => spamass-milter => SpamAssassin and I get occasional errors like these. spamd: handle_user (userdir) unable to find user: 'virtualuser' For example, if I have a virtual user "john" who redirects to the local user jsmith, I get that error with the username of "john" while

Re: How "safe" is reject_unknown_helo_hostname?

On 25 Apr 2019, at 17:56, Allen Coates wrote: > I have been looking at the configuration parameter > "reject_unknown_helo_hostname", with a view to using it to resist spam. I don't think that's going to be helpful enough to make up for the legitimate messages you will lose. Not all senders have

Re: Big problem with this mailing list and Majordomo regarding DMARC

On 19 Apr 2019, at 23:04, Peter wrote: > But this is just one example of where a header might be signed and then is > later added or altered by the mailing list, The only headers that mailing lists often alter are subject (though i think that is dying off, hopefully) and the only

Re: How to allow the milter first access to recipients?

On 18 Apr 2019, at 13:15, ecsd wrote: > > The logs show that postfix examines the recipients before the milter is given > the chance to see them. > I have a milter that detects certain RCPT patterns harassing a domain name > and will discard (not bounce) the mail, > but that code cannot be

Re: possible to reach hardenize's requirements?

On 13 Apr 2019, at 00:57, Dominic Raferd wrote: > I too find that hardenize complains about my STARTTLS without any details as > to why. Like @lbutlr (and most of us) I offer STARTTLS on port 25 but not > AUTH. However I see this message in my log after the test ran, I think &g

Re: possible to reach hardenize's requirements?

> On 12 Apr 2019, at 10:42, micah anderson wrote: > > "@lbutlr" writes: > >> On 12 Apr 2019, at 08:46, micah anderson wrote: >>> he site https://hardenize.com provides relatively decent Email reports, >>> along with other reports. It checks a

Re: possible to reach hardenize's requirements?

On 12 Apr 2019, at 08:46, micah anderson wrote: > he site https://hardenize.com provides relatively decent Email reports, > along with other reports. It checks a number of things including certs, > MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. These are all > good checks and

Re: SPF and Greylisting

On 5 Apr 2019, at 09:11, Viktor Dukhovni wrote: > Note that you SHOULD NOT ultimately refuse email on SPF softfail, > but greylisting would be OK, if you find it meets your needs. Is grey listing still effective? I know when I stopped using it it was not doing much of anything and I can't

Re: Authentication attempts for x...@com.au addresses

On 2 Apr 2019, at 14:30, Esteban L wrote: > The times are in seconds, so you'll need to calculate those times. a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 which is one day. BTW, pi seconds is very close to 1 nano century. -- <[TN]FBMachine> I got kicked out of

Re: pishing from ME

On 24 Mar 2019, at 09:32, Michael wrote: > header CUST_DMARC_FAIL Authentication-Results =~ /mydomain\.com; dmarc=fail/ > score CUST_DMARC_FAIL 4.0 Have you checked this against your spam? You're going to have a lot of problems with a score of 4.0, I expect. -- "Some cause happiness wherever

Re: pishing from ME

On 22 Mar 2019, at 19:45, Bill Cole wrote: > Do not accept mail claiming to be from any address in a local domain on the > port 25 (smtp) smtpd service. Only accept such mail via port 587 (submission) > and 465 (smtps) services configured to require authentication. And the way to do this is:

Re: Understanding the importance of submission

On 21 Mar 2019, at 06:50, Bill Cole wrote: > Requiring authentication to relay on *ANY* port is essential. Even if you do > authentication by IP (e.g. permit_mynetworks) or other out-of-band > mechanisms, failing to require authentication to relay will eventually lead > to a system being

Re: Permanent store of incoming mail.

On 20 Mar 2019, at 15:40, Patrick Ben Koetter wrote: > Or, if you use dovecot as storage, create a second dovecot instance and dsync > messages from first to second instance. This is a much better solution in terms of features and making that alternate mailspool available. Mine is better in

Re: Permanent store of incoming mail.

On 20 Mar 2019, at 15:06, Homer Wilson Smith wrote: >Pointers to RTFM > >Running Centos 7.x, latest postfix. > >What is the best way to keep a permanent store for > incgoing e-mail. Doesn't have to be forever. 1 year perhaps. I use recipient_bcc_maps -- 'The trouble with my

Re: "Chunk exceeds message size limit"

On 19 Mar 2019, at 13:00, Viktor Dukhovni wrote: > Note that, perhaps unintentionally, the treatment of "message_size_limit > = 0" is not documented to mean "no limit". Perhaps we should also > address that. By forbidding a setting of 0? -- 'They're the cream!' Rincewind sighed. 'Cohen,

Re: Howto reject only one recipient and not drop entire email?

On 18 Mar 2019, at 06:40, Otto Kekäläinen wrote: > How can I configure Postfix so that _only_ malformed addresses are not > delivered to the next SMTP host, while the rest of the recipients in > the same email/To/CC/BCC are delivered as usual? What you are asking for will deliver mail to people

Re: intermittent sasl auth fails?

On 17 Mar 2019, at 15:47, @lbutlr wrote: > On 17 Mar 2019, at 05:40, li...@sbt.net.au wrote: >> (both domains are valid, tld.com as well as tld.com.au) > > both are valid in your lookup table? Have you checked this with postman? postmaP (sorry, spelling correcting one wil

Re: intermittent sasl auth fails?

On 17 Mar 2019, at 05:40, li...@sbt.net.au wrote: > (both domains are valid, tld.com as well as tld.com.au) both are valid in your lookup table? Have you checked this with postman? -- 'There has to be enough light,' he panted, 'to see the darkness.'

Re: Postfix stable release 3.4.2

Please stop sending this nonsense to the list. > On 10 Mar 2019, at 17:21, Francesc Peñalvez wrote: > > * > Este mensaje y todos los archivos adjuntos son confidenciales y de uso > exclusivo por

Re: Question on Relay Host conf

> On 7 Mar 2019, at 20:52, Ozy Mate wrote: > > Dear Friends, > > I have signed up with a 3rd party smtp server as relay host. This server > needs the following lines in the main.cf of our server instead of relayhost > direction: > > smtp_sender_dependent_authentication = yes >

Re: postscreen_dnsbl_action "drop" not working correctly?

On 05 Mar 2019, at 13:50, Mayhem wrote: > I also have nginx/apache and sql running on the same dedicated machine, There will use much more of your system that all of postfix, including your dovecot (or whatever), and the DNS lookups are a minuscule portion of what postfix does. My very

Re: postscreen_dnsbl_action "drop" not working correctly?

On 05 Mar 2019, at 10:00, Dominic Raferd wrote: > Fail2ban is (as you know) a way to tackle it. At 1000 connections a day I don’t think fail2ban or sshguard or whatever is going to save you anything at all. Hundreds of thousands? Maybe? -- Suddenly the animals look shiny and new

Re: Is there any way to add whitelist to ranges or ips domains so that dnsbl are skipped?

On 4 Mar 2019, at 02:55, Francesc Peñalvez wrote: > > Gmail has its ips stuck in almost all dnsbl spam and for that reason I do not > receive any mail from gmail Really? I've haven't found gmail servers to be in RBLs in a long time and wouldn't use a RBL that listed gmail servers. What lists

Re: Unexpected directories in virtual_mailbox_base

On 01 Mar 2019, at 07:21, Thomas Seilund wrote: > -- Once a day for each user I clear the bayes files and rebuild bayes files > with: You are removing the bases entries daily and rebuilding them based on a very few (if any) messages in your LaernAs folders? That’s the same as not using bayes

Re: downgrading from postfix-3.4 fails - unix-dgram

> On 1 Feb 2019, at 01:19, Eray Aslan wrote: > > Downgrading from postfix-3.4 fails with: What exactly do you mean by "Downgrading? And how, exactly, did you attempt to do this? > 3.3.2/image//usr/share/man/man8/virtual.8... > bin/postconf: fatal: invalid type field "unix-dgram" in

Re: Blocked by yahoo.com

On 30 Jan 2019, at 16:26, Philip wrote: > had this exact issue when I first started warming up the IP I was sending my > company email from. Any email going to a Yahoo server you need to throttle > heavily as if you try and send to much too quickly you will get your IP > blocked. I "solved"

Re: Postfix vs. OpenSSL on Debian "buster".

On 24 Jan 2019, at 18:07, Viktor Dukhovni wrote: > This may be especially important with submission, where various > peripheral devices (fax-to-email, printers, ...) may only support > TLSv1. So the "buster" system-wide default of TLSv1.2 and up may > cause problems. The least likely to be

Re: Postfix logging without syslogd

On 21 Jan 2019, at 22:13, Viktor Dukhovni wrote: > 12. The version numbering scheme for Berkeley DB changed from a > five-part number to a three-part number of the form > ... This release is numbered 18.1.x, Do you know why the current version in FreeBSD ports is 6.2.32_1? (or the

Re: Assistance to protect from spam flood

On 12 Jan 2019, at 07:52, Nick Howitt wrote: > Unfortunately I don't have access to the MX Backup service. It is provided by > my DNS provider. Honestly, you should not have an MX server outside of your control. If your server is routinely down for several days, then you shouldn't be running

Re: Postscreen concurrency limits

On 20 Dec 2018, at 11:08, Viktor Dukhovni wrote: > Viruses can come from any source. OK, But I am pretty sure I’ve never seen a virus from mail chimp. I don’t have a large enough load to worry about not scanning, but if I did the first thing I would stop scanning is gmail incoming and the

Re: dnsbl postscreen - not blocking

On 20 Dec 2018, at 06:46, Kai Schaetzl wrote: > Using Sorbs is dangerous, anyway, we abandoned it years ago. If you want > to use it then use it in the way it is intended for weighted RBLs. e.g. do > not use it as the sole source of blocking. I keep parring down my list and am considering

Re: Postscreen concurrency limits

On 18 Dec 2018, at 16:58, Viktor Dukhovni wrote: > The solution is perhaps in part to throw some more CPU at the > problem, but alternatively, assuming that mailchimp et. al. > are not abusing reasonable concurrency limits, you can reduce > the impedance mismatch by increasing the input latency,

Re: Problem with filter

> On 13 Dec 2018, at 20:05, Paul Schmehl wrote: > > --On December 13, 2018 at 9:00:06 PM +0100 Benny Pedersen > wrote: > >> Paul Schmehl skrev den 2018-12-13 20:45: >> The user does not exist until "ls -l" is able to correctly identify the files as belonging to the user.

Re: New install - Temporary lookup failures when trying to send

ersion of mail). > > On 04.12.18 13:47, @lbutlr wrote: >> What do you base this statement on? I’ve been using Apple’s Meal.app since >> around 2003 or so, and I’ve never had it encode everything as Internet >> links more mess up plaintext mail. > > based on sender's

Re: New install - Temporary lookup failures when trying to send

On 5 Dec 2018, at 07:34, Bill Cole wrote: > On 2 Dec 2018, at 20:31, James Brown wrote: > >> I’m trying to set up a new mail server on macOS Mojave and it almost works. >> Dovecot for IMAP is working. > > This is a bad idea. Mojave (like High Sierra and Sierra before it) is unfit > for

Re: client incorrect greeting error, how to resolve?

On Wed Dec 05 2018 05:24:33 Voytek said: > > so if I have 25 clients on a NATed LAN, that's my connection count limit, > isn't it ? No. -- 2+2=5 for sufficiently large values of 2.

Re: New install - Temporary lookup failures when trying to send

On Mon Dec 03 2018 04:27:43 Matus UHLAR - fantomas said: > > pleaase, get a decent MUA, not applemail that tries to encode everything as > internet links (and messes up thge plaintext version of mail). What do you base this statement on? I’ve been using Apple’s Meal.app since around 2003

ClamAV-milter

Trying to configure clamav-milter with postfix-current-3.4.20181105,5 under FreeBSD 11.2-RELEASE, but I’ve missed something since no mail is actually getting processed by ClamAV-milter, including the EICAR test mails which sail through without triggering anything. I’ve tried to provide

Re: Convert quoted-printable headers

On 24 Nov 2018, at 14:37, Richard Damon wrote: > If you might be using characters beyond an 8-bit character set, then UTF-8 is > the best way to go. If there is even the slightest possibility that you will be using characters beyond the basic *7* bit character set, I would say that UTF-8 is

Re: Error on make of the latest 3.3.1 source at dict_db.c

On 8 Nov 2018, at 01:18, Robert Chalmers wrote: > Hi, I can see what the error message says . But I confess at this moment, I’m > at a loss as to how to fix it? > Where is it looking for this db? Postix used Berkely db for hash tables (files end in .db) nosema,ly the virtual file and the alias

Re: A better way to do secure SMTP

On 01 Nov 2018, at 13:48, Alice Wonder wrote: > Opportunistic TLS is a concept I do not like. DANE fixes the issues for > system admins willing to implement DNSSEC and add a TLSA record but it seems > many are not, so MTA-STS was invented. > > MTA-STS has the same flaw as opportunistic TLS. It

Re: Enabling TLSv1.2 support in postfix 2.8.2

On 25 Oct 2018, at 05:11, Ralph Seichter wrote: > Please don't try to spread your personal misjudgement as gospel, It is not mine, but thanks for playing. -- So now you know the words to our song, pretty soon you'll all be singing along, when you're sad, when you're lonely and it all turns out

Re: TLSv1.2 only for auth connection

On Oct 25, 2018, at 15:04, @lbutlr wrote: > Authentication port 25 is often simply opportunistic Sorry. I meant to type encryption, not authentication. -- This is my signature. There are many like it, but this one is mine.

Re: TLSv1.2 only for auth connection

On Oct 25, 2018, at 06:08, Thomas Bourdon wrote: > > My goal : All auth connections must be done with tlsv1.2 minimum. Others > connections can be done with tlsv1.0 minimum. This is fine. Authentication port 25 is often simply opportunistic and does not imply identify, only securing the data

Re: Enabling TLSv1.2 support in postfix 2.8.2

On Oct 24, 2018, at 09:19, Benny Pedersen wrote: > > do not disable tlsv1 I couldn’t disagree more. TLSv1.2 has been out for a decade and there is no reason to be running v1 or v1.1. At all. I’ve been running with TLSv1.2 only for over a year. -- This is my signature. There are many like

Re: check if envelope from and from is the same

On 04 Oct 2018, at 00:00, Tobi wrote: > if your auth senders spoof from headers: block their login account and > terminate their service Nothing necessarily wrong with spoofing From: noreply@ is a spoofed From: >> we're running a small smtp send only service for authenticated users >> only.

Re: BCC to a local account

On 21 Sep 2018, at 10:07, Stephen Carville wrote: > Add a procmail recipe One of these days, and a joyous day it will be, someone is going to take up the mantle of procmail maintainer and rewrite it to be modern, fast, and stable, No no, I hear your protests, but it's going to happen. Someday.

Re: Patch: eliminate postfix-script warnings about symlinks

On 06 Sep 2018, at 12:19, Luc Pardon wrote: > However, although symlinks inside the Postfix dirs were not needed in > the past, that has changed by now. They have become necessary because > OpenSSL needs them to find its certificates, so we can't just tell the > admin to get rid of them. The way

Re: Blocking spammers who spoof From: addresses from my domain

> On 13 Aug 2018, at 06:28, Bastian Blank > wrote: > > On Mon, Aug 13, 2018 at 05:19:18AM -0600, @lbutlr wrote: >> On 12 Aug 2018, at 17:29, Stuart Longland wrote: >>> We have a problem where some smart-arse spammers/phishers are spoofing >>> the

Re: Blocking spammers who spoof From: addresses from my domain

On 12 Aug 2018, at 17:29, Stuart Longland wrote: > We have a problem where some smart-arse spammers/phishers are spoofing > the From address, specifying our domain as their from address. In one > case, the person in question uses my personal address in the From, To > and Return-Path. In others,

Re: is possible modify the source address based on the subject?

On 07 Aug 2018, at 04:53, Wietse Venema wrote: > Maybe some Procmail rule can do all this. I don't use Procmail. You can, with enough staples and duct tape, do *anything* in procmail. However, it is old, krufty, not under development<1>, has several bugs, doesn’t understand mime, and I don’t

Greylisting (Was Re: Fall back to relay after [some] 5XX repl[ies] from destination?)

On 07 Aug 2018, at 04:49, Luc Pardon wrote: > but in any case it serves no useful purpose (unlike greylisting, SAV, etc. Are people still finding grey listing to be useful? I found it caused far more problems than it solved and the endless game of scanning logs for sites like Amazon that

Re: TLS not offered by host

On 1 Aug 2018, at 11:59, Viktor Dukhovni wrote: >> status=deferred (TLS is required, but was not offered by host > > Here, the "level" is "none". The remote site did not support STARTTLS. Ah. Yes, that makes sense, it just didn't occur to me a server in 2018 would do that, I figured it just

TLS not offered by host

When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered? status=deferred (TLS is required, but was not offered by host (I get very few of these (two servers in the last week), but I'd like to be able to tell

Re: Open Relay on local lan

On 24 Jul 2018, at 11:31, Software Information wrote: > Recently though, auditors made a deal that the server is an open relay. Based on the rest of this thread, it sounds very much like the auditors are incompetent. I mean, not knowing what an open relay is is concerning.

Re: Defer mail instead of bounce

On 28 Jun 2018, at 16:10, li...@mbchandler.net wrote: > I agree about the nameserver, but unfortunately I don't have a choice. I'm > required to use this one. Explain to the non-technical person mandating this, possibly using very small words, why the will result in lost mail. Your initial post

Re: Blocking TLDs with check_sender_access

On Jun 26, 2018, at 09:10, Viktor Dukhovni wrote: > No, it works substantially better in check_sender_access, and very poorly > in header_checks. It works very well for me, and has for years. -- This is my signature. There are many like it, but this one is mine.

Re: Blocking TLDs with check_sender_access

On 25 Jun 2018, at 14:45, Alex wrote: > I have a check_sender_access restriction that blocks many TLDs like > .red and .space. Problem is that we have one legitimate .red customer > (what was he thinking?) that needs to send us mail. How can I allow > this single domain? I use header checks:

Re: available: multiple deliveries per TLS-encrypted connection

On 18 Jun 2018, at 12:08, Wietse Venema wrote: > Wuetse Ah, Mondays! -- Is it my imagination, or do buffalo wings taste like chicken?

Re: your mail

On 5 Jun 2018, at 02:22, Matus UHLAR - fantomas wrote: > in postyfix queue each mail does have its unique ID. However, when pushed > through any kind of content filter, the ID changes. > Also, when mail gets forwarded, the ID changes. A new ID will be ADDED, but the original one remains in the

Re:

On 4 Jun 2018, at 14:34, Greg Strange wrote: > I am trying to track a single email throughout the entire postfix process. > The idea is that when a customer calls us and says that a certain email never > reached them, we can quickly trace the email through the logs and see that it > died due

Re: Emails from localhost

On 03 Jun 2018, at 16:08, Proxy wrote: > I'm confident that CentOS security team does a good job providing latest > security patches RedHat releases including those related to Postfix. Are you under the impression that CentOS is writing security patches for obsolete and unsupported versions

Re: [Postfix] Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

On 29 May 2018, at 11:57, Viktor Dukhovni wrote: > The collation rules for "en_US" are abominable. I always set: > > LC_CTYPE=en_US.UTF-8 LANG=C Yep, strongly agree with this. I foolishly had LANG=en_US some time back thinking it was sensible. It is not. Everything breaks.

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

On 2018-05-29 (02:35 MDT), Dirk Stöcker wrote: > > Do you maybe also have a command to show only changed parameters? This is doable, but it takes a bit more processing than a single line. Basically, a shell script that parses the output of join <(postconf -n) <(postconf -d | sed

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

On 2018-05-28 (11:26 MDT), Viktor Dukhovni wrote: > > join <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/') That's nifty! -- "you'd think you could trust a horde of hungarian barbarians"

Re: advice on postscreen setup / exception / dnsbls

On 26 May 2018, at 23:27, Voytek wrote: > On Sun, May 27, 2018 3:22 am, /dev/rob0 wrote: > >> The obvious solution, if dnsbl.spfbl.net is blocking real mail, is to >> stop using that list, or possibly to lower its score below your [unstated] >> threshold score. > > Thanks for

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

On 26 May 2018, at 12:59, Benny Pedersen wrote: > just kidding, i would like to see main.cf smaller, so postconf -n gives more > settings as default from -d > > as it is now setting is more or less random default from main.cf > > keep main.cf minimal is good sense I’m not sure

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

On 2018-05-26 (10:59 MDT), /dev/rob0 wrote: > Perhaps this could be reworded to be less confusing? Since "-d" > doesn't look at main.cf, s/main.cf/"Postfix internal"/? I dunno, I think "Print main.cf default parameter settings instead of actual settings." is very clear. --

<    1   2   3   4   5   6   7   >